WingNews logo WingNews GitHub [2]
top | item 16868012

Show HN: IP Geolocation and Threat Data API

79 points| jonathan-kosgei | 8 years ago |ipdata.co | reply

63 comments

order
[+] jstarfish|8 years ago|reply
Looks neat, very clean.

What factors go into determining whether an IP is a threat, and how often is this reviewed?

One of the problems I have with most public intel (don't care if it's FireHOL, Crowdstrike, Alienvault or US-CERT) is that inevitably some GoDaddy (for example) site gets used by an APT and so a GoDaddy IP makes it onto a public blacklist, flagged as being abusive. But a billion other sites also share that IP on that host (or it gets reassigned, as in AWS) which leads to a deluge of false positives anytime anyone else happens across it by means of a legitimate site. Some of these IPs remain blacklisted for years despite any malicious infrastructure long being dismantled.

Do you add any value by mitigating this, or do you just suck down the same public blacklists every other product uses?

[+] jonathan-kosgei|8 years ago|reply
Thanks!

You make a valid point. A number of VPN providers for example use GCE/AWS/Softlayer to host their services. And these IPs do get reassigned. One of the ways we mitigate this is by limiting the age of IP addresses in our lists to a maximum of 30 days. If an IP address hasn't been reported to have been responsible for malicious behavior for a period of 30 days it shouldn't be in our lists.

We're also mulling adding an is_cloud_provider field to the threat response object.

[+] f2n|8 years ago|reply
Why is is_anonymous = true for a tor relay? Why are relays and exit nodes given the same flag? As a tor relay operator, I anticipate this being misused, like so many before it, to arbitrarily block all tor relays by people who don't know or care how tor works.
[+] jonathan-kosgei|8 years ago|reply
Hi f2n, thank you for raising this concern. is_tor and is_anonymous are true for any and all nodes on the Tor network. I'd love to hear more about your concerns, please send me an email at jonathan at ipdata dot co
[+] Reedx|8 years ago|reply
This looks great! I'll give it a shot for my web game (it's a neverending battle dealing with troll accounts).

I've been using Cloudflare to detect TOR, but couldn't find a good way to detect proxies/etc.

[+] 47|8 years ago|reply
Do you provide local database? Making a web service call for every request seems like a performance bottle neck.
[+] meritt|8 years ago|reply
I've always had good luck with Maxmind's local database [1] offering. It bewilders me how many companies today create SaaS offerings and refuse to offer on-prem versions. It's like they intentionally want to avoid customers with serious needs (speed and security being the most common need for on-prem) who are willing to pay serious amounts of money.

[1] https://www.maxmind.com/en/geoip2-databases

[+] jonathan-kosgei|8 years ago|reply
Hi, unfortunately we don't. However performance is very important to us which is why we have 11 endpoints around the world. And average ~65ms response times see status.ipdata.co.
[+] hangonhn|8 years ago|reply
This is definitely really cool and something I imagine myself using for future projects. The price points are very reasonable and the website is very usable. One question I have though is what best practices do you recommend for how one can protect against IP address spoofing.
[+] jonathan-kosgei|8 years ago|reply
I don't have a resource to point you to, but feel free to reach out via email jonathan at ipdata dot co. Would love to discuss this
[+] nickreese|8 years ago|reply
How often is the threat data updated? Any way to truncate the response to just what we want?
[+] jonathan-kosgei|8 years ago|reply
The data is updated as often as every 15 minutes, though we aggregate all those changes over the course of an hour. Are you interested in only the threat data? We have been considering making it possible to query for individual fields
[+] zaarn|8 years ago|reply
One of the few services that geoip's my VPN correctly to germany. Too many of them pick it on France and I get shown lots of ads I don't understand. And no threat either (some blacklist me for sitting on an OVH network).

Good work!

[+] orliesaurus|8 years ago|reply
I tried sharing your page on FB messenger to a friend who is interested in this kind of APIs, but Messenger blocked it...man I hate this blacklisting crap...back to IRC it is.
[+] Mediumium|8 years ago|reply
Seems nice.

Small suggestion : 1500 api request for free and 2500 api requests for 10€.

I think it's a huge leap for pricing, either reduce the requests for free user or reduce de price / increase the requests for the first payed plan.

[+] jonathan-kosgei|8 years ago|reply
It's not really that huge, 1000 requests is a rounding error for our other plans :)
[+] sphix0r|8 years ago|reply
Have you thought how(or if) GDPR will affect your product?
[+] jonathan-kosgei|8 years ago|reply
Hi sphix0r, yes. First off we only store logs from user requests for 24hrs and only for analytics. Otherwise our GDPR compliance is still something we're perfecting but something we believe we're already on the right side of.
[+] coderholic|8 years ago|reply
Jonathan's been doing a great job of ipdata.co! I'd like to also shout out to my own service https://ipinfo.io here though, where we've recently launched new plans that include company details, carrier details, and IP type - we have a custom classifier that labels each IP as isp, business, or hosting, which can be really useful for a bunch of use cases. Here's sample output from the pro plan:

    {
      "ip": "66.87.125.72",
      "hostname": "66-87-125-72.pools.spcsdns.net",
      "city": "Southbridge",
      "region": "Massachusetts",
      "country": "US",
      "loc": "42.0707,-72.0440",
      "postal": "01550",
      "asn": {
        "asn": "AS10507",
        "name": "Sprint Personal Communications Systems",
        "domain": "spcsdns.net",
        "route": "66.87.125.0/24",
        "type": "isp"
      },
      "company": {
        "name": "Sprint",
        "domain": "sprint.com",
        "type": "isp"
      },  
      "carrier": {
        "name": "Sprint",
        "mcc": "310",
        "mnc": "120"
      }
    }
See https://ipinfo.io/responses for more of an overview of the differences between our plans.
[+] always_good|8 years ago|reply
Do you think it's appropriate to shill your own service every time a competitor has a Show HN?

You made the same post during OP's last Show HN: https://news.ycombinator.com/item?id=15881463

I also wonder how mature a project has to be before it seems sheepish to "Show HN".